Slashdot Mirror
Apple Hires Former OLPC Security Director
imamac writes "It seems Apple is seeking to beef up security by hiring Ivan Krstic, the one-time director of security architecture at One Laptop per Child. 'Krstic, a well-respected innovator who designed the Bitfrost security specification for the OLPC initiative, joined Cupertino this week and will work on core OS security. His hiring comes at a crucial time for a company that ties security to its marketing campaigns despite public knowledge that it's rather trivial to launch exploits against the Mac.'"
Apparently they think now might be a good time to start battening down the hatches. They don't want to make mistakes like they did with the iPhone. Who seriously leaves a JTAG enabled and on the board of a production phone?
Let's see here. The guy that invented a good security system (nerd) is hired by a large corporation (news). So far we have nerd and news covered. Now let's see, how does this matter? As macs gain popularity they also garner the interest of people looking to make exploits for them. Apple is trying to head off the tide a little so they can still market as being more secure than their main competitor. Personally I'm a Freebsd/Linux fan, but for all the mac users out there I think that it matters. So there you have it, News for Nerds, Stuff that matters. Or maybe News about a Nerd, Stuff that Matters.
"Some books contain the machinery required to create and sustain universes."-Tycho
You're right, the number of exploits doesn't necessarily mean it's a more secure system, but the fact that (as you say) there aren't a proportionate amount to the size of the userbase does seem to imply decent security.
I personally haven't heard of any exploit in the wild except the trojan, for which the user has to be willing to provide their password to any old bit of software with unknown providence - to be honest I don't know how one could protect against that on any system. If there are other exploits out there I would like to know about it, but if there aren't then the author has no right to say it's "trivial to launch exploits against the Mac" unless he's demonstrating that by writing them himself.
Someone seems to be methodically modding down any comments that disagree with the submitter.
If the marketshare argument was true then there wouldn't have been any viruses for pre-OSX Macs either. But there were; lots of them.
There were also viruses for the Apple IIGS, hardly a market leader.
That's a tired old troll you have there, sir.
So they're only vulnerable to the hobbyist hackers... where are the successful malware examples from that group?
If the argument is that it's not worth anyone's time, then shouldn't you say that we don't know how vulnerable it is? I don't trust Apple implicitly, given how buggy early releases of many of their product seem to be, but this unfounded speculation does seem to be a popular troll that's used equally effectively against Linux. Try being a bit more responsible.
Those are my principles. If you don't like them I have others. -Groucho Marx
I personally haven't heard of any exploit in the wild except the trojan, for which the user has to be willing to provide their password to any old bit of software with unknown providence - to be honest I don't know how one could protect against that on any system.
Luckily, Ivan Krstic knows how. From a CNET article about Bitfrost:
Instead of blocking specific viruses, the system (Bitfrost) sequesters every program on the computer in a separate virtual operating system, preventing any program from damaging the computer, stealing files, or spying on the user. Viruses are left isolated and impotent, unable to execute their code.
I totally agree with you, but /. to degenerate the topic into "Macs are swiss cheese.." "no! widnows is swiss cheese".. etc..
grrr.. trust
I'm really interested in hearing about Krstic's security philosophy and it's merits/demerits. I found this talk on zdnet but there's only about 5 minutes of actual security architecture info in it at around 40:00 into the video. Oh, and there's also this BitFrost overview on Wikipedia. I think there are some cool concepts there. The idea of sandboxing all apps into containers with sets of standard rights, and restricting IPC to certain approved mechanisms is pretty interesting. Was hoping poeple could focus on BitFrost and Krstic's security philosophies so we could all learn something.
>> more exploits being found for OSX than Linux and windows
I don't believe that for Linux, and I certainly don't believe that for Windows.
Face it guys, OS X is built on a BSD userland with the same OpenSSH you all know and love. It uses the same owner/group/others file permissions. It ships with an excellent firewall, and no open ports by default.
IMO, it's as safe as Linux. The smart users will only ever see trojans and home-dir-deleting "viruses", and the dumb ones that type their password will get owned.
The probability of hitting a Mac, and then having the user enter their password into a random unexpected popup is too low for Macs to be a viable target.
Common sense is not so common.
How can threats from untrusted code (or vulnerabilities in trusted code) be able to exploit a JTAG header on the board of the device?
Unless, of course, you think that the owner of the device is somehow a "security threat"? I keep meeting people who think this, and I really don't understand it at all...
(actually, Krstic's Bitfrost system is *does* implement some local physical security, but that is to address a very specific threat: theft)
Apple execs have put down their glasses of marketing Kool-Aid and joined the real world.
Apple has always been a bit erratic when it comes to security, owing to their odd blend of cultures. To suggest, however, that they've been ignoring security is more than a little misguided. Leopard included the addition of a MAC framework ported from TrustedBSD, an application signing framework, and ACLs restricting some exposed services (like zeroconf) that would have been vulnerabilities otherwise. Apple has done a very good job of shipping an OS hardened enough to deal with the level of worm and virus infections facing it in the wild. Now, with trojans being a bigger concern, they bring in a person who helped write and implement a pretty decent MAC implementation for general, if limited use. With luck this may be the beginning of a new era of consumer level trojan mitigation, something Apple already laid the groundwork for but has not really implemented the UI and market components for.
Basically I disagree with you that Apple has been ignoring security and I disagree that OS X is as vulnerable to most classes of real world threats as Windows. I see this as Apple making a good hire that fits with their current security strategies, assuming that is what they hired him for.